I have confirmed this behavior from OpenSSH 6.6 in OS X (from MacPorts) and 6.6 in Ubuntu. I have set up a SSH Certificate authority, and as such I put in the following line at the top of my known_hosts file @cert-authority *.mydomain.com ssh-rsa <public key> Below this are all my hashed entries for various other hosts that I've contacted over the years. If I do ssh-keygen -R <ip> it has the unintended consequence of matching on the offending entry in the known_hosts file *and* my cert-authority entry: $ ssh-keygen -R 10.50.3.149 # Host 10.50.3.149 found: line 1 type RSA <--This is my cert-authority # Host 10.50.3.149 found: line 512 type ECDSA /Users/mlindgren/.ssh/known_hosts updated. Original contents retained as /Users/mlindgren/.ssh/known_hosts.old
Created attachment 2447 [details] preserve markers when hashing/removing known_hosts Yes, it also barfs on @revoked keys. This patch should fix it, but the code is a tangled mess and should be more broadly refactored.
patch applied - this will be in openssh-6.7. Thanks!
Close all bugs left open from 6.6 and 6.7 releases.